Software Security

CompSci 725 FC 01
Clark Thomborson

Handout 62: List of Required Readings

Conceptual Foundations: Terminology, Ethics, Law

• C. Pfleeger, "Is there a security problem in computing?", Chapter 1 of Security in Computing, 2nd edition, Prentice Hall, 1997.
• Patent Law Basics, Office of Technology Transfer, University of Arizona, 14 December 1998.
• K. Nichols, "The Age of Software Patents", IEEE Computer, April 1999.
• Letters to the editor, by Gimlan, Page and Hayden in response to Nichols' article, IEEE Computer, June 1999.
• P. Samuelson, "Encoding the Law into Digital Libraries", Comm. ACM, April 1998.
• Ethical statements from IEEE, CPSR, and RSNZ.
• Pfleeger, "Ethical issues in computer security," section 11.5 of Security in Computing, 2nd edition, Prentice Hall, 1997.
• C. Mann, "Who will own your next good idea?", The Atlantic Monthly, 57-82, September 1998.
• H. Rosner, "Steal this software," The.Standard.com, June 19, 2000.
• P. Radatti, "Cybersoft, Incorporated Moral Guidelines," Cybersoft, Inc, 1996
• Kenneth Ho, "A Study into the Problem of Software Piracy in Hong Kong and China," Master's dissertation, Management and Information Systems, London School of Economics and Political Science, 1995. http://www.info.gov.hk/ipd/piracy.html

Protection Techniques: Tamperproofing, Obfuscation, Watermarking, Cryptography

• “Foundations”, Chapter 1 of Applied Cryptography: protocols, algorithms, and source code in C, by Bruce Schneier, John Wiley & Sons, second edition, 1996, pp. 1-17.D. Aucsmith, "Tamper Resistant Software: An Implementation", in Information Hiding Workshop, RJ Anderson (ed), LNCS 1174, pp. 317-333, 1996.
• “Core PKI Services: Authentication, Integrity, and Confidentiality”, Chapter 4 of Understanding Public Key Cryptography, by C Adams and S Lloyd, MacMillan Technical Publishing, 1999. Available: http://www.microsoft.com/technet/security/corepki.asp?a=printable, April 2001. (reading for Assignment 2)
• C. Collberg and C. Thomborson, "Watermarking, Tamperproofing, and Obfuscation - Tools for Software Protection," Computer Science Department Technical Report 170, University of Auckland, February 2000, 15 pp.
• Drew Dean, Edward W Felten, Dan S Wallach, "Java Security: From HotJava to Netscape and Beyond", In 1996 IEEE Symposium on Security and Privacy, May 1998. http://www.cs.princeton.edu/sip/.
• N Ferguson, J Kelsey, et al., “Improved Cryptanalysis of Rijndael,” Seventh Fast Software Encryption Workshop, Springer-Verlag, 2000 (to appear), available: http://www.counterpane.com/rijndael.html, February 2001.
• Fritz Hohl, Time Limited Blackbox Security: Protecting Mobile Agents from Malicious Hosts, In Mobile Agents and Security, Springer Verlag, LNCS 1419, pp. 92-113, 1998.
• F Sebé et al., “Spatial-Domain Image Watermarking Robust against Compression, Filtering, Cropping, and Scaling.” In LNCS 1975, eds. Pieprzyk et al., pp. 44-53, Springer-Verlag, 2000.

Language-Based Security: Java, CORBA, Safe-Tcl

• Alireza, U. Lang, M. Padelis, R. Schreiner, M. Schumacher, “The Challenges of CORBA Security”, to appear in Proceedings of the Workshop "Sicherheit in Mediendaten", Gesellschaft für Informatik (GI), Springer-Verlag.  Available: http://citeseer.nj.nec.com/393276.html, May 2001; see also http://www.springer.de/comp-de/inf_akt/index.html.
• David M. Chess, Security Issues in Mobile Code Systems, In Mobile Agents and Security, Springer Verlag, LNCS 1419, pp. 1-14, 1998. Other publications by Chess are available at http://www.research.ibm.com/people/c/chess/pubs.html.
• Drew Dean, Edward W Felten, Dan S Wallach, "Java Security: From HotJava to Netscape and Beyond", In 1996 IEEE Symposium on Security and Privacy, May 1998. http://www.cs.princeton.edu/sip/.
• Li Gong, Roland Schemers, Signing, Sealing, and Guarding Java Objects. In Mobile Agents and Security, Springer Verlag, LNCS 1419, pp. 206-216, 1998.  Available: http://link.springer.de/link/service/series/0558/tocs/t1419.htm, April 2001.
• Mark LaDue, "The Maginot License: Failed Approaches to Licensing Java Software Over the Internet," 1997. http://metro.to/mladue/hostile-applets/maginot.html.
• John K. Ousterhout, Jacob Y. Levy, Brent B. Welch, "The Safe-Tcl Security Model," In Mobile Agents and Security, Springer Verlag, LNCS 1419, pp. 217-234, 1998. Available: http://link.springer.de/link/service/series/0558/tocs/t1419.htm, April 2001.
• Dan S Wallach, Dirk Balfanz, Drew Dean and Edward W Felten, "Extensible Security Architectures for Java", 16^th ACM Symp on Operating Systems Principles, October 1997.  Available: http://www.acm.org/pubs/citations/proceedings/ops/268998/p116-wallach/, and http://www.cs.princeton.edu/sip/pub/sosp97.html, May 2001.  See http://citeseer.nj.nec.com/wallach97extensible.html.

Secure Systems: GSM, e-commerce, email, Smart Cards, Webservice, Operating Systems, Use of COTS

• Mihir Bellare, Juan Garay, Ralf Hauser, Amir Herzberg, Hugo Krawczyk, Michael Steiner, Gene Tsudik, Els Van Herreweghen, and Michael Waidner. Design, implementation and deployment of a secure account-based electronic payment system. Research Report RZ 3137, IBM Research Division, June 1999. http://www.zurich.ibm.com/Technology/Security/publications/1999/BGHHKSTHW99.ps.gz
• F Cohen, Operating System Protection Through Program Evolution.  “Generated Sat Feb 28 13:36:44 PST 1998 by fc@all.”  “Copyright 1992.”  Available: http://all.net/books/IP/evolve.html, April 2001.
• I.J. Cox and J.P.M.G. Linnartz, "Some general methods for tampering with watermarks", IEEE Journ. of Sel. Areas in Comm: 16 (4), May 1998, pp. 587-593.  Available: http://ieeexplore.ieee.org/iel4/49/14639/00668980.pdf, March 2001.
• C Gilmore, “Secure Remote Access to an Internal Web Server,” IEEE Network, Nov-Dec 1999, pp. 31-37.
• P Girard and J-L Lanet, “New Security Issues Raised by Open Cards,” in Elsevier Technical Report on Security, pp19-27, Vol 4, N°2; available as Technical Report SM-99-03, Gemplus Research Lab, June 1999.  http://www.gemplus.fr/smart/r_d/publications/art17.htm.
• Hans Hedbom, Stefan Lindskog, Stefan Axelsson, Erland Jonsson.  A Comparison of the Security of Windows NT and Unix, web document, October 1998.  Available: http://www.ce.chalmers.se/staff/sax/nt-vs-unix.pdf, May 2001.  See http://citeseer.nj.nec.com/205186.html.
• L Law, S Sabett, J Solinas, “How to Make a Mint: The Cryptography of Anonymous Electronic Cash”, National Security Agency (USA) Cryptology Division, technical report provided on October 31, 1996 by the 21^st Century Banking Alert service (http://www.ffhsj.com/bancmail/bancpage.htm) of Fried, Frank, Harris, Shriver & Jacobson, 18 June 1996.  http://jya.com/nsamint.htm.
• Ulf Lindqvist, Erland Jonsson.  “A map of security risks associated with using COTS,” in IEEE Computer 31:6, 60-66, June 1998.  Available: http://www.ce.chalmers.se/research/Computer_Security/Publikations/pubs/cots98.pdf, March 2001.
• David Margrave, "GSM Security and Encryption", MS project report, ECE Department, George Mason University, May 1995. (This is a non-archival but heavily referenced net-document, found July 2000 at http://www3.l0pht.com/~oblivion/blkcrwl/cell/gsm/gsm-secur/gsm-secur.html. The author may be contacted at david@margrave.com.).  See also David Wagner, “GSM Cloning”, web document, undated.  Available: http://www.isaac.cs.berkeley.du/isaac/gsm.html, March 2001.
• The first four pages of "E-Government: Protecting New Zealand's Infrastructure from Cyber-Threats", 8 Dec 2000, available http://www.e-government.govt.nz/projects/niip/niip-report-final.pdf, April 2001.
• "S.E.E. Mail", available http://www.e-government.govt.nz/projects/see/mail1.html, April 2001.
• "S.E.E. Mail - Frequently Asked Questions", available http://www.e-government.govt.nz/projects/see/mail6.html, April 2001.
• The first four pages of "Interim Guidelines for PKT in Govt v0.97", November 2000, available http://www.e-government.govt.nz/guidelines/interim-guidelines-for-pkt-in-gov t-v097.pdf, April 2001.

Secure Operations: Policy, Detection, Response

• J Bates, “Fundamentals of computer forensics,” International Journal of Forensic Computing, Jan/Feb 1997.  Available: http://www.forensic-computing.com/archives/fundamentals.html, March 2001.
• N Brownlee, E Guttman.  “Expectations for Computer Security Incident Response,” RFC 2350 of Internet RFC/STD/FYI/BCP Archives, June 1998.  Available: http://www.faqs.org/rfcs/rfc2350.html, March 2001.P W Dowd and J T McHenry, “Network Security: It’s Time to Take It Seriously”, IEEE Computer, September 1998, pp. 24-28.
• Hector Garcia-Molina and Narayanan Shivakumar, "Safeguarding and Charging for Information on the Internet", Proc ICDE'98, February 1998. This paper, and other papers co-authored by Shiva are available at http://www-db.stanford.edu/~shiva/.
• R Hunt, “Internet/Intranet firewall security – policy, architecture and transaction services,” Computer Communications 21 (1998), 1107-1123.
• T Killalea.  “Recommended Internet Service Provider Security Services and Procedures,” RFC 3013 of Internet RFC/STD/FYI/BCP Archives, June 1998.  Available: http://www.faqs.org/rfcs/rfc3013.html, May 2001.
• I Krsul and E Spafford.  Authorship Analysis: Identifying the Author of a Program, Technical Report CSD-TR 96-052 (Coast TR 96-06), Department of Computer Sciences, Purdue University (USA), 27 pp, 1996.  Available: ftp://ftp.cerias.purdue.edu/pub/papers/ivan-krsul/krsul-spaf-authorship-analysis.ps, November 2000.
• V Paxson, “Bro: A System for Detecting Network Intruders in Real-Time”, Computer Networks 31(23-24), 2435-2463, 14 Dec 1999.  ftp://ftp.ee.lbl.gov/papers/bro-CN99.ps.gz.

Handouts on Technical Writing

• Effectively Using Direct Quotations, University of Richmond Writer's Web, 2 pp., undated. Downloaded from http://www.richmond.edu/~writing/wweb/dq.html, 15 March 2001.
• Honesty , Auckland University Computer Science Department Handbook, 2pp., undated. Downloaded from http://www.cs.auckland.ac.nz/handbook/current/UG.H.html, 15 March 2001.
• What is Plagiarism, and Quoting, Summarizing and Paraphrasing, by M Spears, Grosse Point North High School, Michigan (USA), 2 pp., undated. Downloaded from http://www.ehhs.cmich.edu/~mspears/plagiarism.html on 14 March 2001.
• Excerpts from F Woodford, Scientific Writing for Graduate Students, Rockefeller University Press, 1968.
• A Eisenberg, Writing Well for the Technical Professions, Harper & Row, 1989, pp. 39-40 and 46-51.
• E Papadakis, "Why and What for (Four): The Basis for Writing a Good Introduction", Materials Evaluation 41, Jan 1983, pp. 20-21.
• The Research Process, Instructional Services, University of Auckland, 19 July 1999. Available http://www.auckland.ac.nz/lbr/instruct/research.htm, April 2001.